Splitting the Graph (Graph Groups)
Analysts may oftentimes wish to work on two or more different graphs at the same time to compare and/or contrast those graphs.
In order to do this, you can right-click on the graph tab at the top of the canvas and select New Document Tab Group. To return to the standard view, you can either close the graphs in the new Tab Group, or select Collapse Document Tab Group, thus collapsing all graphs back into one group.
Finding Items Across Multiple Graphs
Instructions for locating items such as Entities, links, keywords, and properties present in multiple graphs can be found below.
Often, while working on multiple graphs during an investigation, it becomes necessary to locate items across multiple graphs. This can be achieved in two ways:
- Selecting and copying Entities from one graph to another while noting common Entities.
- Using the feature 'Find in Files' to search items in saved graphs.
Using bookmarks: the select, copy, and paste method
Firstly, let us work through how we can use the selection, copy, and paste method to find common Entities.
Consider the following graphs for example:
Step 1. Select 'Person One' from Graph1 by using a bookmark color and click the Investigate tab > Select Bookmarked
Step 2. Right click on Graph1 > click 'Copy' > select 'Copy' (as GraphML)
Step 3. Switch to Graph2 and press Ctrl+v to paste the copied GraphML.
You will see a popup showing the matched Entities.
The "Find in Files" method
In addition to the first example, we can find emails, notes and links in multiple saved graphs with the help of the "Find in Files" feature. Note that using the 'Find in Files' feature first requires that all open graphs are saved to the file system.
Step 1. Select the option 'Find in Files' from the Investigate tab.
Step 2. Fill in search parameters to find all emails ending with '@paterva.com' and click Search
Where: location in file system where the graphs are saved.
Find: piece of string that has to be found.
Graph items: '@paterva.com' is an Entity, check-mark Entities and select 'Email Address' from the dropdown menu.
Search in: Check mark all options to find '@paterva.com' in places other than the value of Entity itself.
Step 3. Results found will be displayed as a list. Double clicking the result will take you to that Entity.
Step 4. Similarly we can find text in notes.
Results:
Step 5. To find links, use parameters similar to these.
Results:
Using Bookmarks to Return to Relevant Data
What follows is a simple overview of how to select and use Bookmarks.
Bookmarks help to:
- Provide anchor points for important data
- Show the nexus of an investigation
Using Bookmarks (the select, copy, and paste method)
Here is a more complex explanation of Bookmarks.
Firstly, let us work through how we can use the selection, copy, and paste method to find common Entities.
Consider the following graphs for example:
Step 1. Select 'Person One' from Graph1 by using a bookmark color and click the Investigate tab > Select Bookmarked
Step 2. Right click on Graph1 > click 'Copy' > select 'Copy' (as GraphML).
Step 3. Switch to Graph2 and press Ctrl+v to paste the copied GraphML.
A popup will appear showing the matched Entities.
For each matched Entity you have the choice of which you would prefer to keep, or whether to merge them into a single Entity.